summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSebastian Rasmussen <sebras@gmail.com>2016-09-27 22:05:47 +0800
committerSebastian Rasmussen <sebras@gmail.com>2016-09-28 00:11:23 +0800
commit793c13601575967fdad69f15fea8e200a436ba9d (patch)
tree812de76e8af84b70d7c0bda045f15f6eadec69de
parent2738bc06e489a17be6fe6d560b6a70b6c51f6572 (diff)
downloadmupdf-793c13601575967fdad69f15fea8e200a436ba9d.tar.xz
tiff: Do not clobber input buffer if fill order is reversed.
-rw-r--r--source/fitz/load-tiff.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c
index 8651c2c0..2e235c94 100644
--- a/source/fitz/load-tiff.c
+++ b/source/fitz/load-tiff.c
@@ -353,14 +353,19 @@ fz_decode_tiff_chunk(fz_context *ctx, struct tiff *tiff, unsigned char *rp, unsi
{
fz_stream *stm;
unsigned i, size;
+ unsigned char *reversed = NULL;
if (rp + rlen > tiff->ep)
fz_throw(ctx, FZ_ERROR_GENERIC, "strip extends beyond the end of the file");
/* the bits are in un-natural order */
if (tiff->fillorder == 2)
+ {
+ reversed = fz_malloc(ctx, rlen);
for (i = 0; i < rlen; i++)
- rp[i] = bitrev[rp[i]];
+ reversed[i] = bitrev[rp[i]];
+ rp = reversed;
+ }
fz_try(ctx)
{
@@ -430,15 +435,11 @@ fz_decode_tiff_chunk(fz_context *ctx, struct tiff *tiff, unsigned char *rp, unsi
fz_always(ctx)
{
fz_drop_stream(ctx, stm);
+ fz_free(ctx, reversed);
}
fz_catch(ctx)
fz_rethrow(ctx);
- /* scramble the bits back into original order */
- if (tiff->fillorder == 2)
- for (i = 0; i < rlen; i++)
- rp[i] = bitrev[rp[i]];
-
return size;
}